When your exporter devices have a very large amount of traffic passing through them, exporting full traffic might overload your networking devices.
In such case, you may want to export only a small random portion of traffic and then project total values in NetFlow Analyzer based on the sample rate.
However, sampling brings some pitfalls with it and for this reason we are presenting here comparison of full and sampled export for you to better decide which one to use.
100% accurate traffic data All exporter devices (incl. firewalls) and NetFlow Analyzers support
Lower CPU on exporters (routers and switches) because majority of the packets are not processed Lower CPU, RAM and HDD on NetFlow Analyzer server because less fps is processed and stored Lower licensing cost (if based on fps)
Total traffic trend, baseline, traffic drill-down by dimensions
Total traffic trend and baseline
Traffic routing, capacity planning Host conversations, application usage analysis, raw data forensics and security investigation
Traffic routing, capacity planning
For exact instructions how to sample exported traffic, please go to your vendor documentation.
A good rule of thumb is to go with full export whenever you can.
Sampling should be used only if you need basic monitoring, if only sFlow is supported or if your network traffic is on such a large scale that it is practically irrational to collect, process and store such a vast amount of data.